Dropbox Pwned Via A Phishing Attack

Dropbox has disclosed a security breach after a threat actor stole 130 code repositories after gaining access to a GitHub account using employee credentials stolen via a phishing attack. 

At Dropbox, we use GitHub to host our public repositories as well as some of our private repositories. We also use CircleCI for select internal deployments. In early October, multiple Dropboxers received phishing emails impersonating CircleCI, with the intent of targeting our GitHub accounts (a person can use their GitHub credentials to login to CircleCI).

While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes. These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site. This eventually succeeded, giving the threat actor access to one of our GitHub organizations where they proceeded to copy 130 of our code repositories. 

These repositories included our own copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team. Importantly, they did not include code for our core apps or infrastructure. Access to those repositories is even more limited and strictly controlled.

On the same day we were informed of the suspicious activity, the threat actor’s access to GitHub was disabled. Our security teams took immediate action to coordinate the rotation of all exposed developer credentials, and determine what customer data—if any—was accessed or stolen. We also reviewed our logs, and found no evidence of successful abuse. To be sure, we hired outside forensic experts to verify our findings, and reported this event to the appropriate regulators and law enforcement.

Mike Fleck, Senior Director of Sales Engineering at Cyren had this to say:

     “This is another reminder that phishing is an unsolved problem. Attackers are continuously updating their credential harvesting tactics, now with the ability to defeat common forms of MFA. By having the employee enter their username, password, and one-time token, the attacker easily had access to any privileges that employee had. Employees will always receive convincing but fraudulent emails. Submitting users to security awareness training with the expectation they will spot all of these attacks is unrealistic. Businesses need to use additional layers of email security to automate the hunting and removal of these social engineering attacks.”

I would add that this is why a move to something like passwordless authentication might be worth considering as it cuts off this attack vector. I say that because based on what Dropbox has said in its disclosure, the threat actor used the law of averages in their favour to break in. And what companies need to do is to cut off as many attack vectors as possible to avoid being pwned by hackers.

Leave a Reply

%d bloggers like this: